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The ubiquity of the internet has led to educational, social, and entrepreneurial opportunities. But it has also 
created a new scale of privacy issues that outmatch existing laws. Cambridge Analytica and the Equifax data 
breach are but two symptoms of a much larger problem. 

Other countries and many states have taken important steps, but Congress must act. Reps. Anna Eshoo and Zoe 
Lofgren, who represent Silicon Valley, have introduced comprehensive privacy legislation that protects 
individuals, encourages innovation, and restores trust in technology companies. 

Key Provisions 

• Digital Privacy Agency (DPA). The bill creates a new federal agency to enforce users’ privacy rights and 
ensure companies follow the law. While unique for the U.S., this would be not the only privacy agency in 
existence. Every E.U. country has a privacy agency, and a California ballot initiative is proposing a new state 
agency. The DPA would be an independent agency with funding for up to 1,600 employees. 

• User Rights. The bill gives users the right to: 

o access, correct, delete, and transfer data about them; 
o request a human review of impactful automated decisions; 
o opt-in consent for using data for machine learning / A.l. algorithms; 
o be informed if a covered entity has collected your information; and 
o choose for how long their data can be kept. 

• Company Obligations. Companies must: 

o articulate the need for and minimize the user data they collect, process, disclose, and maintain; 
o minimize employee and contractor access to user data; 
o not disclose or sell personal information without explicit consent; 
o not use third-party data to reidentify individuals; 

o not use private communications, (e.g., emails and web traffic) for ads or other invasive purposes; 
o not process data in a way that violates civil rights, e.g., employment discrimination; 
o only process genetic information in limited circumstances; 

o use objectively understandable privacy policies and consent processes, and may not use ‘dark 
patterns’ to obtain consent; 

o employ reasonable cybersecurity policies to protect user data; and 

o notify the agency and users of breaches and data sharing abuses, e.g., Cambridge Analytica. 

• Enforcement 

o The DPA can issue regulations to implement this bill and issue fines for violations, 
o The max money damage is the same as the FTC Act’s max ($42,530 per incident), 
o State attorneys general may also bring civil actions for violations of this bill. 

o Individuals may sue for declaratory or injunctive relief; individuals (not acting collectively) may sue 
for damages. 

o Harmed individuals and States may appoint nonprofits to bring collective, private civil actions for 
damages on behalf of users. 

• Protections for Journalists. Expressly allows journalists to use or disclose personal information for 
investigative journalism no differently than they do today. This applies so long as there are safeguards against 
using the information for non-journalistic puiposes. 

• Additional Provisions. The bill criminalizes doxxing; limits companies from using data to build behavioral 
profiles without consent; exempts small businesses from the most onerous requirements; prohibits the sale of 
government records with personal data without consent, and creates an Open Source Machine Learning 
Training Data Grant Program. 






